Facebook click-jacking

This week I’ve seen three friends “like” something on Facebook which I doubt they actually like. Security folks such as Graham Cluley at Sophos call this “click-jacking” or “like-jacking.” It’s been around for a while, but some new attacks are making the rounds lately. How it works:

The targeted user receives an email which includes a link, or sees an appealing link in someone else’s Facebook feed. Garden variety social engineering. I saw “webcam shocker” (read: porn), “Disney secrets,” and “Read this and you’ll never text again!” as click-bait.

The target clicks the link to open the web page which contains the nasty bits. Here’s a screenshot of the “webcam” click-jacking page. The target then clicks again, following the directions to get the bait, and the evil deed is done.

Some of these click-jacking pages imitate the appearance of Facebook: its blue and white color scheme, headers and footers, and/or fake versions of widgets Facebook allows legitimate sites to use for off-Facebook “liking.” Smartphone users are probably more susceptible to this visual deception, since they work with smaller screens and/or reduced-size pages. You don’t have to look too hard at the “Caught on webcam” example to see it’s rough around the edges: there’s no Facebook logo, and the fake Facebook widgets and links don’t actually work. However, when small, that familiar blue color may look Facebooky enough to earn that second click.

As Cluley describes, not all click-jackers imitate Facebook’s appearance; some are rather generic or use a fake error to get that second click. The actual purpose of the second click is often obfuscated using transparent iframes and/or Javascript, so mousing over the button doesn’t show a link destination. Pretty nasty indeed. For example, an image which says “View image” may actually link to code on Facebook which “likes” the page in question. The “caught on webcam” scam I looked at uses several levels of obfuscation:

Facebook-like headers and footers, as noted above.

Right-click is redirected to a Javascript action which displays an alert.

The source code is obfuscated, starting with a comment which contains the alert noted above, followed by a hundred or so spaces. All the code is on one line. So at first glance, “View source” reveals only an HTML comment.

The malicious code is in a separate page integrated with an iframe.

Worst of all: the second click may not appear to do anything, so those who fall prey to these scams may not even know it.

What to do? Think before you click. Nothing new about that. At least the payload is pretty benign, for now. Hopefully someone won’t figure out how to do this with one click (and/or Facebook will tighten “like” up to make that impossible). One-click like-jacking combined with a nastier payload (a Trojan horse) would be a much more serious problem.

I thought I’d add to my earlier comment, since the scenario I had was a little different than the one you describe (although I’m guessing the mechanism is the same). I saw a “like” post on a friend’s page that I was curious about because it didn’t seem like something he’d like (which should have been the signal to avoid I guess). But it was a cryptic phrase so I thought I’d see what the hell it was. When I clicked it, it went to a survey/questionnaire which was supposedly the only way to get to the actual page. I simply shrugged and left, but by visiting the survey in the first place I had unknowingly “liked” the link, helping channel more people to the survey. I only later saw that I had it on my page and was able to remove it.